Mind the Communication Gap (or how not to run a penetration test)

Featured

When customers and vendors fail to communicate, it’s a recipe for disaster – as one company learned only too well.

A company I have been talking to recently told me about a penetration test they ran on a website. It was not, as it turned out, the most successful of penetration tests.

It started out well. The site was in the process of being developed and they wanted to make sure they were aware of any issues before it went live. They knew they needed to appoint a third party to carry out the test and were very thorough in the appointing process, meeting with multiple vendors to be certain they had chosen the right team. So, after hours of meetings, PowerPoint presentations and lots and lots of talk, a vendor was finally selected to run the penetration test. They were good to go.

The dangers of going it alone

Unfortunately, in their haste to find the best third party, they failed to invite a single member of the internal IT team to any of their meetings, or bother informing the other vendors who were in the process of delivering the website.

A mistake that turned out to have big consequences.

The tests were run and a highly-negative report was submitted by the third party. According to the report, there were over 40 holes on the website – meaning it was total disaster in these days of greater demand for security and compliance.

Assumption is the mother of all screw-ups

Given the site had failed so spectacularly, the vendors who had been commissioned to develop it received an almighty roasting over the poor quality of their work. When they asked why had they not been aware of the penetration test and where had it been run from, they were told that the tests had been run from external sources. Which is when the full magnitude of the mistake was realised.

Given that the site hadn’t yet gone live, it wasn’t available for access from outside. So the other team of vendors simply couldn’t have been able to run the tests.

Right test. Wrong site.

It turns out they’d not run the test on the new site being developed, as required, but on the pre-existing site.

So, not only had the test had been a complete waste of time, money and energy, they’d also damaged their relationship with their vendors by blaming them for something they’d not done. Not to mention the fact they’d been running a site for three years that wasn’t fit for purpose.

In short, it was an embarrassment all round.

So, what can we learn from this story?

1) Get your vendors working together

There will often be times when you have different teams of suppliers dealing with overlapping areas of your business. The key is to get them to collaborate – to share their skills and knowledge so that everyone can do their best possible job. If they’re not willing or able to work together, you've probably got the wrong people for the job.

2) Garbage in. Garbage out.

A test is only as good as the information you put into it. If you don't take the time to get that right, the test will be a waste of time – not to mention money.

3) Talk. Talk. And talk some more.

The key to every successful project is communication. Internal and external. Make sure that everyone who needs to be informed is informed.

And don’t forget to write the correct IP addresses on a noticeboard so that you know what’s what!